Go Back   DreamTeamDownloads1, FTP Help, Movies, Bollywood, Applications, etc. & Mature Sex Forum, Rapidshare, Filefactory, Freakshare, Rapidgator, Turbobit, & More MULTI Filehosts > Computer/MAC Help/Info. & New Technology > General Computer/Android Help, News & Info + New Technology

General Computer/Android Help, News & Info + New Technology Find All The Latest Reports/Reviews in Here. Start a New Thread in Here if You Need Help

IMPORTANT ANNOUNCEMENT
Hallo to All Members. As you can see we regularly Upgrade our Servers, (Sorry for any Downtime during this). We also have added more Forums to help you with many things and for you to enjoy. We now need you to help us to keep this site up and running. This site works at a loss every month and we appeal to you to donate what you can. If you would like to help us, then please just send a message to any Member of Staff for info on how to do this,,,, & Thank You for Being Members of this site.
Post New ThreadReply
 
LinkBack Thread Tools Display Modes
Old 06-06-12, 13:55   #1
Visiting Staff/Admin
 
Join Date: May 2012
Posts: 13
Thanks: 11
Thanked 22 Times in 10 Posts
js3811 is on a distinguished road
Default Flame Virus: How to Check if You Are Infected With Malware

C/P

By MATTHEW CHAPMAN:

Kaspersky Lab has taken a look at the code for the Flame Virus and has started to map some of the qualities of this malicious malware.




Using the information collected so far it is possible to find out if a computer has been infected.

"The main module of Flame is a DLL file called mssecmgr.ocx," Alexander Gostev, chief security expert at Kaspersky Lab, revealed in a blog post.

"We've discovered two modifications of this module. Most of the infected machines contained its 'big' version, 6Mb in size, and carrying and deploying additional modules. The smaller version's size is only 900Kb and contains no additional modules. After installation, the small module connects to one of the C&C servers and tries to download and install the remaining components from there."

Gostev said the Mssecmgr file may be called different names on infected machines, depending on the method of infection and the current internal state of the malware (installation, replication, upgrade). For example, it could be called wavesup3.drv, ~zff042.ocx or msdclr64.ocx.

Step 1

Perform a search for the file ~DEB93D.tmp. Its presence on a system means that it either is or has been infected by Flame.

Step 2

Check the registry key HKLM_SYSTEMCurrentControlSetControlLsa Authentication Packages. If you find mssecmgr.ocx or authpack.ocx in there - you are infected with Flame.

Step 3

Check for the presence of the following catalogues. If they are present - you are infected.

C:Program FilesCommon FilesMicrosoft SharedMSSecurityMgr

C:Program FilesCommon FilesMicrosoft SharedMSAudio

C:Program FilesCommon FilesMicrosoft SharedMSAuthCtrl

C:Program FilesCommon FilesMicrosoft SharedMSAPackages

C:Program FilesCommon FilesMicrosoft SharedMSSndMix

Step 4

Conduct a search for the rest of the filenames listed below. All of them are unique and if they are discovered there is a strong possibility of a Flame Virus infection.

mssecmgr.ocx
advnetcfg.ocx
msglu32.ocx
nteps32.ocx
soapr32.ocx
ccalc32.sys
boot32drv.sys
~DEB93D.tmp
~8C5FF6C.tmp
~DF05AC8.tmp
~DFD85D3.tmp
~DFL*.tmp
~dra*.tmp
~fghz.tmp
~HLV*.tmp
~KWI988.tmp
~KWI989.tmp
~rei524.tmp
~rei525.tmp
~rf288.tmp
~rft374.tmp
~TFL848.tmp
~TFL849.tmp
~mso2a0.tmp
~mso2a1.tmp
~mso2a2.tmp
sstab*.dat
dstrlog.dat
lmcache.dat
mscrypt.dat
wpgfilter.dat
ntcache.dat
rccache.dat
audfilter.dat
ssitable
audache
secindex.dat
wavesup3.drv
svchost1ex.mof
Svchostevt.mof
frog.bat
netcfgi.ocx
authpack.ocx
~a29.tmp
rdcvlt32.exe
to961.tmp
authcfg.dat
Wpab32.bat
ctrllist.dat
winrt32.ocx
winrt32.dll
scsec32.exe
grb9m2.bat
winconf32.ocx
watchxb.sys
sdclt32.exe
scaud32.exe
pcldrvx.ocx
mssvc32.ocx
mssui.drv
modevga.com
indsvc32.ocx
comspol32.ocx
comspol32.dll
browse32.ocx

Kaspersky Lab's detailed look at the functionality of the malware shows that it contains a number of different elements, all with specific jobs.

For example, the Beetlejuice unit can use Bluetooth to turn your computer into a 'beacon' and announces it as a discoverable device. Meanwhile, the Weasel unit creates a directory listing of the infected computer.

Below is a brief overview of the available units. The names were extracted from the binary and the 146 resource.

Beetlejuice

Bluetooth: enumerates devices around the infected machine.
May turn itself into a "beacon": announces the computer as a discoverable device and encode the status of the malware in device information using base64.

Microbe

Records audio from existing hardware sources. Lists all multimedia devices, stores complete device configuration, tries to select suitable recording device.

Infectmedia

Selects one of the methods for infecting media, i.e. USB disks. Available methods: Autorun_infector, Euphoria.

Autorun_infector

Creates "autorun.inf" that contains the malware and starts with a custom "open" command. The same method was used by Stuxnet before it employed the LNK exploit.

Euphoria

Create a "junction point" directory with "desktop.ini" and "target.lnk" from LINK1 and LINK2 entries of resource 146 (were not present in the resource file). The directory acts as a shortcut for launching Flame.

Limbo

Creates backdoor accounts with login "HelpAssistant" on the machines within the network domain if appropriate rights are available.

Frog

Infect machines using pre-defined user accounts. The only user account specified in the configuration resource is "HelpAssistant" that is created by the "Limbo" attack.

Munch

HTTP server that responds to "/view.php" and "/wpad.dat" requests.

Snack

Listens on network interfaces, receives and saves NBNS packets in a log file. Has an option to start only when "Munch" is started. Collected data is then used for replicating by network.

Boot_dll_loader

Configuration section that contains the list of all additional modules that should be loaded and started.

Weasel

Creates a directory listing of the infected computer.

Boost

Creates a list of "interesting" files using several filename masks.

Telemetry

Logging facilities

Gator

When an Internet connection becomes available, it connects to the C&C servers, downloads new modules, and uploads collected data.

Security

Identifies programs that may be hazardous to Flame, i.e., anti-virus programs and firewalls.

Bunny, Dbquery, Driller, Headache and Gadget

The purpose of these modules is not yet known.

http://www.ibtimes.co.uk/articles/346825/20120530/flame-virus-malware-check-infected.htm
Take care.
__________________
Download faster! >>>
You can help this site, by clicking on the link below to buy a Premium Account.
& Thank you for helping us. Click;



js3811 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiTweet this Post!
Reply With Quote
Old 09-06-12, 18:01   #2
The Enigma
 
photostill's Avatar
 
Join Date: Apr 2012
Posts: 9,978
Thanks: 3,012
Thanked 1,524 Times in 928 Posts
photostill has a brilliant futurephotostill has a brilliant futurephotostill has a brilliant futurephotostill has a brilliant futurephotostill has a brilliant futurephotostill has a brilliant futurephotostill has a brilliant futurephotostill has a brilliant futurephotostill has a brilliant futurephotostill has a brilliant futurephotostill has a brilliant future
Default Re: Flame Virus: How to Check if You Are Infected With Malware

Since Kaspersky has revealed to the public and world at large the existence of Flame, the controllers of Flame have sent out the kill and delete command. It will now rapidly disappear in an attempt to prevent discovery of how it was done.

This malware itself will now fade away as being a problem.
__________________

You can help this site, by clicking on the link below to buy a Premium Account.
& Thank you for helping us. Click;




photostill is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiTweet this Post!
Reply With Quote
Old 29-08-12, 21:01   #3
pop
Official Site Mascot/Moderator
 
pop's Avatar
 
Join Date: Jun 2011
Posts: 1,178
Thanks: 2,019
Thanked 1,001 Times in 636 Posts
pop has much to be proud ofpop has much to be proud ofpop has much to be proud ofpop has much to be proud ofpop has much to be proud ofpop has much to be proud ofpop has much to be proud ofpop has much to be proud of

Awards Showcase
Bronze Medal 
Total Awards: 1

Default Re: Flame Virus: How to Check if You Are Infected With Malware

So your saying, "don't worry about it?" Is that right?
pop is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiTweet this Post!
Reply With Quote
Post New ThreadReply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.
SEO by vBSEO 3.5.2
Designed by: vBSkinworks